Important: Microsoft Software Update for May 9th, 2006 and Impact on BES

Please Login to Remove!

Latest email from RIM sent tonight. Sorrry if duplicate.

Dear Customer,

In line with Microsoft's Security Update Advisor monthly patch update (http://www.microsoft.com/technet/sec.../advance.mspx), they have plans on releasing a patch on May 9, 2006 for Exchange 2000 Server and Exchange Server 2003. If you are planning on installing this update, it's important to note that this update affects user mailbox permissions by revoking the 'Send As' permission in Exchange which has an impact on third party products such as BlackBerry Enterprise Server for Microsoft Exchange. Once applied, this update will prevent users on BlackBerry Enterprise Server from sending email from a BlackBerry or BlackBerry-enabled device.

Recommended Resolution
RIM, in conjunction with Microsoft, has provided configuration settings that must be implemented to enable BlackBerry users to continue sending messages. Microsoft is recommending modifying permissions in Active Directory as outlined in the following public-facing Microsoft KBA:http://support.microsoft.com/kb/912918

Before applying this Microsoft Software Update, RIM recommends that Administrators review these two Knowledge Base articles and take any necessary steps appropriate for their environment. Please contact if additional support is required for this as it applies to BlackBerry Enterprise Server.

I've been looking at this today. It would seem when you send an email RIM take ownership of it and hense it doesn't originate where it appears to have (the users email address). This must make it look like SPAM. I can see why MS have implemented such a change, and it will certainly be beneficial in combatting unwated SPAM (which even a small company like ours spends thousands a year trying to cut unwanted mails out), but annoying it has a knock on effect on the BES.

As another thought I bet this has an effect on BlackBerry Internet Mail as well where users will have changed the 'Sent From' address on their BlackBerry webmail interface. I can see emails potentially getting bounced back in these instances to, although you would think RIM would have mentioned this. Perhaps I'm mistaken!

I don't think the instructions posted on blackberry.com will work unless all of your users are under the 'users' OU in AD. I think it would be better to apply the 'send as' permission at the root of the domain. Comments?

I don't think the instructions posted on blackberry.com will work unless all of your users are under the 'users' OU in AD. I think it would be better to apply the 'send as' permission at the root of the domain. Comments?

If you aren't constrained and don't mind every user being subject to that permission, then why not - it'd definitely be easier than running and maintaining a damn sorry script provided by Microsoft. The Users object refers to "(objectClass=Users)" which is any AD object marked as a user. It states to repeat the steps for all OUs that are applicable (not sure if this is necessarily a good idea, as it would give unnecessary access to non-applicable users unless you group BlackBerry users together in their own OU). I suppose if the service account has permissions to the CEO, President, every EVP and SVP, every Director, etc., then it likely won't mean all that much to allow it permissions on Joe Random, either...

__________________In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.

As another thought I bet this has an effect on BlackBerry Internet Mail as well where users will have changed the 'Sent From' address on their BlackBerry webmail interface. I can see emails potentially getting bounced back in these instances to, although you would think RIM would have mentioned this. Perhaps I'm mistaken!

It wouldn't. It only prevents users within an Exchange environment from sending as another user or service account or shared mailbox or whatever if that permission wasn't applied.

What doesn't make sense, in my opinion, is why we would set implicit 'Send As' permissions in Exchange at the Store level and it wouldn't be applicable to the individual accounts that reside within that Store. Leave it to Microsoft to put the same damn permissions in 10 different places.

I just wish that RIM would update their installation instructions at some point to make room for a different fix. This is a lot of work, in my opinion, for the casual administrator - especially on larger rollouts, this is HIGHLY unacceptable (no fault to RIM short of not relaying this to users MONTHS ago when they first wrote their KB article and coming up with an appropriate workaround/procedure change).

__________________In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.

I am following the instructions in KB-04707 on BB's site. After I set up the permissions on the OU, will any new account or any account moved into that OU have updated permissions too? Or Will I have to set the permissions on the OU after each new account is created.

Last night we accidentally deployed the evil patch. Now no one can send. All of our user are organized in OU's under a root OU named "User Roles". I granted the "Send As" permission at the "User Roles" level, but still no one can send. I just called Blackberry, and they say it may take 2 hours for the setting to take place, and if anyone tries to send a message the 2 hours resets. This doesnt sound right to me. The longest polling intervals I can think of are only about 15 minutes long. Any thoughts?

Also, I'm looking through AD, and I notice that the right does not appear to be applied to my user, but it is applied to the OU my user lives in. This seems odd. Thoughts?

I am following the instructions in KB-04707 on BB's site. After I set up the permissions on the OU, will any new account or any account moved into that OU have updated permissions too? Or Will I have to set the permissions on the OU after each new account is created.

thanks

Each object placed in the OU will inherit the permissions set on the OU unless inheritance is explicitly disabled on an object.

Last night we accidentally deployed the evil patch. Now no one can send. All of our user are organized in OU's under a root OU named "User Roles". I granted the "Send As" permission at the "User Roles" level, but still no one can send. I just called Blackberry, and they say it may take 2 hours for the setting to take place, and if anyone tries to send a message the 2 hours resets. This doesnt sound right to me. The longest polling intervals I can think of are only about 15 minutes long. Any thoughts?

Also, I'm looking through AD, and I notice that the right does not appear to be applied to my user, but it is applied to the OU my user lives in. This seems odd. Thoughts?

I'm trying to avoid burning a incident with Microsoft on this...

Check the permission settings and make sure it is applied to "User Objects". I applied it to my domain and checked a few random user objects in various OUs and the permission has been inherited on down the line. It's not likely that installing the update is effecting the inheritance.

You should have a DomainUsers group in your Users container, which has everyuser in your org as members, then add the BESAdmin account or a BESAdmins Group account if you have multiples, then assign the permissions as given in the RIM kb. Then in additions you may need to add the permission directly to the Users container and each OU/Users container.

What doesn't make sense, in my opinion, is why we would set implicit 'Send As' permissions in Exchange at the Store level and it wouldn't be applicable to the individual accounts that reside within that Store. Leave it to Microsoft to put the same damn permissions in 10 different places.

Granting "Send As" at the store level grants permission to send as the database itself. Not sure why anyone would want to do that, but that's what that permission is for.

Also, Microsoft has changed the KB article that references this patch about 8 times. Back on rev 5.1 it was only 3 pages and now it's up to version 8 and 16+ pages. Two revisions today alone. Search the MS Knowledgebase for KB912918.

Back on version 5.1 of the doc, it lists the DSACLS command which can be used at the OU level to set the Send As permission. This was taken out of future revs but according to our MS rep is still a viable fix so you don't have to specifically set permissions on a per mailbox level.

Last night we accidentally deployed the evil patch. Now no one can send. All of our user are organized in OU's under a root OU named "User Roles". I granted the "Send As" permission at the "User Roles" level, but still no one can send. I just called Blackberry, and they say it may take 2 hours for the setting to take place, and if anyone tries to send a message the 2 hours resets. This doesnt sound right to me. The longest polling intervals I can think of are only about 15 minutes long. Any thoughts?

Also, I'm looking through AD, and I notice that the right does not appear to be applied to my user, but it is applied to the OU my user lives in. This seems odd. Thoughts?

I'm trying to avoid burning a incident with Microsoft on this...

I've done some more testing and discovered that what I did with the Send As permission DID fix the problem for normal users. But there are four of us in IT who's mailboxes are on accounts that also have Domain Administrator rights, and the permission was blocked from our accounts. We've made some changes, and removed domain admin from all those accounts, but the Send As right is still not being inherited. I even tried granting it explicitly on one account and mails are still bouncing.